How crypto exchanges handle liquidity crises after major hacks

Understanding liquidity crises

A liquidity crisis occurs when an organization lacks sufficient liquid assets, such as cash or assets readily convertible to cash, to meet its short-term financial obligations.

Major hacks in the cryptocurrency exchange sector can trigger liquidity crises in several ways. The immediate depletion of assets, especially from compromised hot wallets, can severely impact an exchange’s ability to process withdrawals and maintain normal operations.

Beyond the direct financial loss, panic-driven user withdrawals can escalate a crisis. Once news of a hack spreads, customers may rush to withdraw their assets, fearing further losses. This sudden spike in withdrawal requests puts immense pressure on an exchange’s remaining liquid reserves, making it even harder to maintain solvency.

Additionally, the broader market confidence in the exchange can deteriorate, leading to a decline in trading activity, reduced investor interest and further capital flight.

Without quick and strategic intervention, such liquidity shocks can spiral into insolvency, forcing the exchange to suspend operations or seek external financial assistance.

Immediate response actions to protect user funds after a hack

When a hack is detected, exchanges must act swiftly to contain the damage and protect user funds. The first steps include:

• Freezing asset movements: Exchanges suspend withdrawals and deposits to prevent further losses. In 2019, Binance halted all transactions for a week to conduct a security review, while KuCoin immediately froze funds and transferred assets from compromised wallets.
• Transparent communication: Quick and clear messaging helps maintain user trust and prevent panic. In a 2025 Bybit hack, the CEO addressed the community within 30 minutes and held a livestream within an hour. Binance, during its 2019 hack, tweeted “Funds are #SAFU” to reassure users.
• Industry coordination: Competitor exchanges help by blacklisting hacker addresses, making it harder for stolen funds to be moved or laundered. This was seen in Bybit’s 2025 hack when major platforms blocked suspicious transactions.
• Security investigations: Exchanges mobilize internal forensics teams to identify the breach, whether it’s a hot wallet compromise, leaked API keys or a smart contract exploit. Logs are analyzed, vulnerabilities patched and affected systems secured.
• Ensuring user confidence: While technical details aren’t always immediately disclosed, exchanges assure users that a thorough security check is underway.

​Did you know? The first 24 hours after discovering a cyberattack are often called the “golden hours.” Actions taken during this critical period can significantly impact the extent of damage and the success of recovery.

Containment and damage assessment after a crypto hack

Once the immediate threat is neutralized, exchanges focus on identifying the breach and securing assets. This phase involves determining exactly what happened, how the attack was executed and the extent of the financial loss.

Identifying the cause

A forensic investigation is launched to uncover the technical root of the hack. The 2016 Bitfinex breach was traced to a multisignature wallet vulnerability, while Bybit’s 2025 cold wallet exploit revealed new attack vectors in multisig security. Exchanges analyze logs and system activity to pinpoint weaknesses, whether from leaked private keys, software bugs or exploited smart contracts.

Quantifying financial impact

Exchanges must quickly calculate how much was stolen and which assets were affected. Blockchain analytics firms assist in tracking stolen funds, as seen in KuCoin’s 2020 hack when investigators identified hacker wallets within hours and disclosed them publicly. Knowing the exact financial damage helps exchanges determine their next steps in liquidity management and user compensation.

Securing remaining funds

To prevent further losses, exchanges transfer unaffected assets into new wallets, often switching hot wallets and reinforcing cold storage security. When KuCoin suffered a breach, it abandoned compromised wallets and moved all funds to new secure wallets, ensuring ongoing security. Some exchanges may also halt trading temporarily to prevent market manipulation.

Full damage assessment

With the breach contained, exchanges audit affected user accounts, currencies and potential personal data leaks. Many bring in external cybersecurity firms for deeper forensic analysis. This investigation, typically completed within one to two days, sets the foundation for the exchange’s recovery and compensation plan.

Did you know? ​Bybit’s February 2025 hack was the largest crypto heist in history, with hackers stealing about $1.5 billion worth of Ethereum during a routine transfer from an offline “cold” wallet to a “warm” wallet.

Liquidity management and fund recovery strategies after exchange hacks

As briefly explored earlier, hacks often lead to an immediate liquidity crisis for an exchange. Customers who hear about a breach may rush to withdraw funds when the exchange has a sudden hole in its balance sheet. Managing solvency and liquidity is a critical step.

Insurance and emergency reserves

Well-prepared exchanges tap into insurance funds or emergency reserves set aside for such events.

Binance provides a textbook example: After $40 million in Bitcoin was stolen in its 2019 hack, Binance announced it would use its reserves to cover the incident in full, assuring that “no user funds will be affected.”​

Binance’s Secure Asset Fund for Users (SAFU) — an insurance pool funded by trading fees — absorbed the loss and users were fully reimbursed. This proactive planning kept Binance solvent and preserved user confidence.

Not all exchanges have large insurance funds, so other liquidity strategies come into play.

Corporate capital, loans and investors

One approach is to use corporate capital or seek emergency financing. For instance, in response to the Bybit hack, the exchange demonstrated a commitment to transparency and customer protection. It initiated efforts to trace the stolen funds, with reports indicating that 77% of the stolen assets remain traceable on the blockchain.

Bybit's approach to managing the aftermath of the hack mirrors strategies employed by other exchanges facing security challenges. For example, after a $530 million hack in 2018, Japan’s Coincheck famously used its own capital to reimburse customers to the tune of 46.3 billion yen (about $422 million)​. This was a massive outlay, but it prevented a loss of customer funds and helped Coincheck avoid bankruptcy.

In South Korea, Bithumb’s $30 million hack in 2018 was similarly met with a promise to “pay back victims using its own reserves,” which experts praised as the right move​.

In cases where internal funds aren’t enough, exchanges have turned to external loans or investors to shore up liquidity. A notable case was Liquid Global’s hack in 2021. The Japanese exchange lost around $90 million, raising fears of insolvency. To respond, Liquid secured a $120 million loan from FTX a week later​.

This emergency credit provided the liquidity to cover user withdrawals and stabilize operations (FTX went on to acquire Liquid later). Such industry partnerships can act as a backstop in crises, with a bigger exchange or investor acting as a lender of last resort to prevent a domino effect in the market.

Suspension of activity

Exchanges may also temporarily suspend certain services to manage liquidity. It’s common to keep trading open (to avoid wider market panic) but pause withdrawals until a recovery plan is set. This was seen in the Binance case, where trading continued during the week withdrawals were frozen​.

Bybit’s 2025 hack response was unusual in that it kept withdrawals and services running uninterrupted​, which was possible only because Bybit could immediately guarantee 1:1 reserves for all customers​. In most scenarios, some freeze is necessary to prevent a “run on the bank” scenario while the exchange evaluates its financial standing.

Assurances

Finally, communication plays a big role in liquidity management. Exchange executives must convince users and stakeholders that the platform remains solvent. This often involves publishing proof of reserves or making public statements of assurance. Bybit’s leadership, for instance, emphasized that “all client assets are backed one-to-one” despite the $1.5 billion theft​, effectively saying they could absorb the hit.

Similarly, Bitfinex in 2016 chose to “generalize” losses across users, implementing a 36% haircut on all accounts but crucially accompanying that with BFX tokens as IOUs to compensate users over time.

That difficult decision kept Bitfinex afloat when a total immediate payout was impossible. Within eight months, Bitfinex had redeemed all the tokens at full value​, demonstrating a full recovery and restoration of liquidity.

Fund recovery and user compensation post-exchange hacks

After stabilizing operations and finances, attention turns to recovering the stolen assets and compensating affected users.

Technically, cryptocurrency theft doesn’t always mean the funds are gone forever. The open ledger of blockchain can help track and sometimes reclaim assets. Exchanges often collaborate with blockchain analytics firms and law enforcement to trace stolen funds.

In many instances, the hacker’s addresses are flagged within hours. For example, within 18 minutes of Bybit confirming its hack, investigators had identified the hacker’s wallet and were tracking movements​. Similarly, KuCoin quickly published the wallet addresses the thief used​, enabling a global effort to monitor and freeze the funds.

Cooperation with other industry players is vital in fund recovery. Because hackers typically try to launder funds through other exchanges or swap services, exchanges worldwide form a defensive alliance. As mentioned, major platforms may blacklist addresses linked to hacks, effectively freezing the stolen assets in place if the hacker attempts to cash out on a compliant exchange​.

In the KuCoin 2020 hack (~$285 million stolen), this collaboration paid off: Tether blacklisted about $22 million USDT belonging to the hacker, and numerous crypto projects like Ocean Protocol, Aave and others either disabled or upgraded their contracts to render the thief’s tokens unusable​.

Through these collective actions, an estimated 84% of KuCoin’s stolen funds were eventually recovered​. KuCoin’s insurance fund covered the remaining gap, so users were fully compensated​.

In some extraordinary cases, negotiation with the attackers can lead to fund returns. Crypto history has seen “white hat” hackers who return money for a bounty or even outright negotiations where a portion is returned to avoid prosecution. The Poly Network hack of 2021 is a striking example (though it was a DeFi platform, not a centralized exchange): A hacker exploited $610 million due to a code flaw, then communicated with Poly Network and returned nearly all funds after being offered a reward and a security adviser position​.

While exchanges typically involve law enforcement rather than pay ransoms, they have also offered bug bounties for information leading to recovery. For instance, Bitfinex offered rewards to hackers or informants after its 2016 hack. Years later, the US DOJ seized a significant portion (94,000 BTC) of the Bitfinex stolen funds in 2022​, which are now pending return through legal processes.

User compensation is the flip side of fund recovery. If users lose assets, how and when will they be made whole? The ideal scenario is immediate full reimbursement, as done by Binance, Coincheck, Upbit, Bithumb, KuCoin and others discussed earlier.

In cases where not all funds can be recovered or instantly repaid, exchanges have innovated, like when Bitfinex issued BFX tokens (essentially debt tokens) to customers equal to their loss, which were tradable and later redeemable.

Did you know? Mt. Gox, unfortunately, exemplified the worst case: it went into bankruptcy, and users have waited years for partial refunds through legal bankruptcy proceedings. (Mt. Gox’s trustee is still distributing the recovered coins as of Feb.2025, illustrating the slow path of legal compensation.)

Regulatory and compliance actions following a major exchange hack

Major hacks invariably draw the attention of regulators and law enforcement, adding another dimension to crisis response.

Exchanges must navigate legal obligations to report hacks and often solicit help from authorities to investigate. In many jurisdictions, a hack triggers an automatic review by financial regulators. For example, following the $530 million Coincheck hack in Japan, the Financial Services Agency (FSA) immediately issued an administrative order requiring Coincheck to improve operations and protect clients​.

The FSA even raided Coincheck’s offices a week later to ensure evidence was preserved and that the exchange was taking proper steps​. This level of direct regulatory action underscores how serious such incidents are viewed in regulated markets.

Working with regulators can also help an exchange in crisis. Officials may allow an exchange to continue operating under supervision if they believe the team is acting in good faith to resolve the issue (Coincheck was allowed to keep running while it formulated a compensation plan under FSA oversight​).

However, if negligence is suspected, regulators can suspend licenses or even force operations to halt to protect consumers. In South Korea, after incidents like the Bithumb hack, government agencies like KISA (Korea Internet and Security Agency) got involved to investigate security lapses​. Exchanges are generally expected to report breaches promptly under cybersecurity and financial regulations, and failure to do so can result in penalties.

Law enforcement plays an important role, especially for international hacks. Exchanges often coordinate with police, cybercrime units, and agencies like the FBI or Interpol.

Bybit’s 2025 hack, for example, saw the exchange collaborating with regulators and law enforcement to address the hack, setting an example of public-private partnership in cyber investigations​. Such cooperation can facilitate freezing assets across borders and increase the chances of catching the perpetrators. It also helps exchanges demonstrate compliance and due diligence, which may be critical for maintaining their operating licenses.

High-profile hacks often become catalysts for regulatory change. After the Mt. Gox collapse in 2014, Japan was among the first countries to introduce a licensing regime for crypto exchanges. By 2017, exchanges in Japan had to register with the FSA and meet minimum standards for security, asset segregation and audits​. The Coincheck hack then prompted the FSA to tighten those rules further (and led to the formation of a self-regulatory body to oversee exchanges)​.

Regulators in other countries also pay attention: A massive hack might lead to new guidance on how much of an exchange’s funds must be kept in cold storage, requirements for proof-of-reserves or mandatory insurance coverage.

In the US, while there isn’t a federal exchange license yet, a hack affecting US customers could invite SEC or CFTC scrutiny, and certainly, state regulators would ask questions if the exchange was under their jurisdiction.

How crypto exchanges strengthen security after hacks

Surviving a hack forces exchanges to overhaul security, improve risk management and adopt best practices to prevent future breaches.

Key improvements include:

• Cold storage and multisig wallets: Exchanges now store most funds in cold wallets with multisignature access, reducing reliance on vulnerable hot wallets. After its hack, Coincheck adopted a stricter cold-wallet-plus-multisig system.
• Infrastructure upgrades: Exchanges like KuCoin, after its 2020 breach, upgraded firewalls, intrusion detection and key management protocols to enhance security.
• Stronger internal security controls: The Binance 2019 hack exposed weaknesses in API keys and 2FA, prompting the industry to adopt hardware security keys, AI-powered fraud detection and stricter withdrawal monitoring. Many exchanges now require dual authorization for large transactions.
• Crisis response improvements: Exchanges now operate Security Operations Centers (SOCs) for 24/7 monitoring and conduct regular security audits. Bug bounty programs have become standard, incentivizing ethical hackers to find vulnerabilities before attackers do.
• Industry-wide resilience: Lessons from major hacks have led to proof-of-reserves (PoR) audits, stricter KYC/AML policies and inter-exchange blacklists to prevent stolen funds from being laundered. Binance’s SAFU fund set a precedent for user protection reserves.
• Stronger regulatory frameworks: Hacks like Mt. Gox and Coincheck led Japan and other countries to enforce exchange licensing laws, security compliance checks and transaction monitoring.

While hacks remain a threat, past incidents have driven major improvements in crisis management and user protection, strengthening trust in the crypto ecosystem.